Mitel Forums - The Unofficial Source

Mitel Forums => Mitel Software Applications => Topic started by: fcutler on December 11, 2015, 03:30:41 PM

Title: MBG in the DMZ SRTP ending port
Post by: fcutler on December 11, 2015, 03:30:41 PM

I looked through the forums and almost had this question answered but not quite. We have a Mitel Border Gateway version 8 and Mitel 3300 MXe 6.0 SP2. We will be moving the MBG to a DMZ this weekend and there are concerns with the number of UDP ports open from the internet to the server. The current setting is 20000 to 31000.

We have 10 devices only so I am wondering what the appropriate SRTP ending port could be since this is configurable? I believe that each session requires 2 ports (even for RTP and odd for RTCP). If this is true then would setting the SRTP ending port to 20020 or 20022 suffice?

Title: Re: MBG in the DMZ SRTP ending port
Post by: johnp on December 11, 2015, 05:45:58 PM

Yes that should be enough, 2 per. I would leave some extra for growth. Hate to have to hit many device to add one more, and not really a security risk IMHO

Title: Re: MBG in the DMZ SRTP ending port
Post by: dilkie on December 12, 2015, 10:56:15 AM

actually, 4 ports per... only 2 actual ports are used by sockets, but RTP has to be on "even" ports, "RTCP" (which is supported in later MBG versions) is on "odd" ports.

so... it goes like this.

20000 and 20001 are reserved (20000 for TNA and 20001 for tftp)

the last port is also reserved for TNA (so TNA can tell if your port range is open).

4*number of active calls. We only allocate socket when a set is in a call.

In your case, 10 sets, assume all of them could be in a call at once.

40 ports for sets. plus the reserved 4 (last port and since it's likely odd, the even one before that).

20000 - 20044

But as was pointed out above, it's not a security issue to open up more, any port that has no socket will reject any traffic to it.

Title: Re: MBG in the DMZ SRTP ending port
Post by: fcutler on December 13, 2015, 12:00:22 AM

Thank you for the responses they are very helpful. The security team will be happy to reduce the number from 11,000 to 44 even if technically it is not a security risk.

Do either of you know if Mitel offers patches for security vulnerabilities? I am waiting for an answer from our vendor on this and also had the thought that for general vulnerabilities maybe another source besides Mitel could be utilized. For example a Nexpose scan on our Nupoint server found these:

OpenSSL/TLS MITM (CVE-2014-0224)
NTP: DoS in monlist feature of ntpd (CVE-2013-5211)
NTP: Information disclosure in reslist feature of ntpd (CVE-2014-5209)
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)

Title: Re: MBG in the DMZ SRTP ending port
Post by: dilkie on December 13, 2015, 06:44:45 PM

Most security patches are delivered in the base O/S, update to the latest msl service link for your version. I think the MOL site has all this somewhere. (Your NTP and RC4 issues are fixed there, though MBG also exposes RC4 and you'll need to update to get that one fixed).

For application specific issues, you'll have to contact PS.